From 1a940cb46e1fb06b391043ae2efa3ac0d3c49fe0 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 20:07:49 +0000 Subject: tests: add tests for contain_origin_from_id() --- test/web/activity_pub/transmogrifier_test.exs | 38 +++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'test/web') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 6320b5b6e..b8adf3b8a 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -918,4 +918,42 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end end + + describe "general origin containment" do + test "contain_origin_from_id() catches obvious spoofing attempts" do + data = %{ + "id" => "http://example.com/~alyssa/activities/1234.json" + } + + :error = + Transmogrifier.contain_origin_from_id( + "http://example.org/~alyssa/activities/1234.json", + data + ) + end + + test "contain_origin_from_id() allows alternate IDs within the same origin domain" do + data = %{ + "id" => "http://example.com/~alyssa/activities/1234.json" + } + + :ok = + Transmogrifier.contain_origin_from_id( + "http://example.com/~alyssa/activities/1234", + data + ) + end + + test "contain_origin_from_id() allows matching IDs" do + data = %{ + "id" => "http://example.com/~alyssa/activities/1234.json" + } + + :ok = + Transmogrifier.contain_origin_from_id( + "http://example.com/~alyssa/activities/1234.json", + data + ) + end + end end -- cgit v1.2.3 From dc1d8e13b483d6e5df4ea6432aa3e37971bb3fb1 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 20:20:45 +0000 Subject: tests: add a testcase for user collision --- test/web/activity_pub/transmogrifier_test.exs | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'test/web') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index b8adf3b8a..f8a82dd5b 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -955,5 +955,17 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do data ) end + + test "users cannot be collided through fake direction spoofing attempts" do + user = + insert(:user, %{ + nickname: "rye@niu.moe", + local: false, + ap_id: "https://niu.moe/users/rye", + follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"}) + }) + + {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye") + end end end -- cgit v1.2.3 From 55640c4804d1fe1c39b155f8acd5f820425fb7f6 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 20:31:20 +0000 Subject: tests: add a test to verify the general fake direction protection works in all cases --- test/web/activity_pub/transmogrifier_test.exs | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'test/web') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index f8a82dd5b..9174d9b76 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -967,5 +967,12 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye") end + + test "all objects with fake directions are rejected by the object fetcher" do + {:error, _} = + ActivityPub.fetch_and_contain_remote_object_from_id( + "https://info.pleroma.site/activity4.json" + ) + end end end -- cgit v1.2.3 From b1a6e8d80d47efdea5110e9d86e080a16b5aeaa8 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 21:01:19 +0000 Subject: test: add sanity tests for federator handling of AP docs --- test/web/federator_test.exs | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'test/web') diff --git a/test/web/federator_test.exs b/test/web/federator_test.exs index c709d1181..1d48931b5 100644 --- a/test/web/federator_test.exs +++ b/test/web/federator_test.exs @@ -61,4 +61,42 @@ defmodule Pleroma.Web.FederatorTest do Pleroma.Config.put([:instance, :allow_relay], true) end end + + describe "Receive an activity" do + test "successfully processes incoming AP docs with correct origin" do + params = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "actor" => "http://mastodon.example.org/users/admin", + "type" => "Create", + "id" => "http://mastodon.example.org/users/admin/activities/1", + "object" => %{ + "type" => "Note", + "content" => "hi world!", + "id" => "http://mastodon.example.org/users/admin/objects/1", + "attributedTo" => "http://mastodon.example.org/users/admin", + }, + "to" => ["https://www.w3.org/ns/activitystreams#Public"] + } + + {:ok, _activity} = Federator.handle(:incoming_ap_doc, params) + end + + test "rejects incoming AP docs with incorrect origin" do + params = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "actor" => "https://niu.moe/users/rye", + "type" => "Create", + "id" => "http://mastodon.example.org/users/admin/activities/1", + "object" => %{ + "type" => "Note", + "content" => "hi world!", + "id" => "http://mastodon.example.org/users/admin/objects/1", + "attributedTo" => "http://mastodon.example.org/users/admin", + }, + "to" => ["https://www.w3.org/ns/activitystreams#Public"] + } + + :error = Federator.handle(:incoming_ap_doc, params) + end + end end -- cgit v1.2.3 From dfcfb184b10428af8d37492e64f271c0275fc2c9 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 21:22:30 +0000 Subject: activitypub: transmogrifier: make deletes secure --- test/web/activity_pub/transmogrifier_test.exs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'test/web') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 9174d9b76..829da0a65 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -361,6 +361,26 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do refute Repo.get(Activity, activity.id) end + test "it fails for incoming deletes with spoofed origin" do + activity = insert(:note_activity) + + data = + File.read!("test/fixtures/mastodon-delete.json") + |> Poison.decode!() + + object = + data["object"] + |> Map.put("id", activity.data["object"]["id"]) + + data = + data + |> Map.put("object", object) + + :error = Transmogrifier.handle_incoming(data) + + assert Repo.get(Activity, activity.id) + end + test "it works for incoming unannounces with an existing notice" do user = insert(:user) {:ok, activity} = CommonAPI.post(user, %{"status" => "hey"}) -- cgit v1.2.3 From e10f839e9b413a58dfa2c55f136862ec0f56e314 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 21:41:08 +0000 Subject: tests: federator: fix formatting --- test/web/federator_test.exs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/web') diff --git a/test/web/federator_test.exs b/test/web/federator_test.exs index 1d48931b5..02e1ca76e 100644 --- a/test/web/federator_test.exs +++ b/test/web/federator_test.exs @@ -73,7 +73,7 @@ defmodule Pleroma.Web.FederatorTest do "type" => "Note", "content" => "hi world!", "id" => "http://mastodon.example.org/users/admin/objects/1", - "attributedTo" => "http://mastodon.example.org/users/admin", + "attributedTo" => "http://mastodon.example.org/users/admin" }, "to" => ["https://www.w3.org/ns/activitystreams#Public"] } @@ -91,7 +91,7 @@ defmodule Pleroma.Web.FederatorTest do "type" => "Note", "content" => "hi world!", "id" => "http://mastodon.example.org/users/admin/objects/1", - "attributedTo" => "http://mastodon.example.org/users/admin", + "attributedTo" => "http://mastodon.example.org/users/admin" }, "to" => ["https://www.w3.org/ns/activitystreams#Public"] } -- cgit v1.2.3